Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Can't get rid of google redirects..


  • This topic is locked This topic is locked
17 replies to this topic

#1 tuhtles

tuhtles

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:06:16 AM

Posted 28 November 2009 - 12:30 AM

I ran malware bytes and it said it deleted some files, but google redirects still occur. I've also tried online to find how to get rid of the redirects, but none of the methods worked. My logs are attached. I appreciate any help. Thanks in advance. :(



DDS (Ver_09-10-13.01) - NTFSx86
Run by Merry Huang at 23:03:02.37 on Fri 11/27/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_16
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.342 [GMT -6:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Brother\ControlCenter2\brctrcen.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Merry Huang\Local Settings\Application Data\Google\Update\1.2.183.13\GoogleCrashHandler.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Merry Huang\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mWindow Title = Microsoft Internet Explorer provided by Comcast
uInternet Connection Wizard,ShellNext = hxxp://www.dell4me.com/mywaybiz
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: &Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [Google Update] "c:\documents and settings\merry huang\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"
mRun: [mmtask] c:\program files\musicmatch\musicmatch jukebox\mmtask.exe
mRun: [RealTray] c:\program files\real\realplayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [tgcmd] c:\program files\support.com\bin\tgcmd.exe /server /startmonitor /deaf
mRun: [SSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot
mRun: [PaperPort PTD] c:\program files\scansoft\paperport\pptd40nt.exe
mRun: [IndexSearch] c:\program files\scansoft\paperport\IndexSearch.exe
mRun: [ControlCenter2.0] c:\program files\brother\controlcenter2\brctrcen.exe /autorun
mRun: [masqform.exe] c:\program files\pureedge\viewer 6.0\masqform.exe -UpdateCurrentUser
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [WinPatrol] c:\program files\billp studios\winpatrol\winpatrol.exe -expressboot
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\handwr~1.lnk - c:\program files\handwriter\HandWriting.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quickb~1.lnk - c:\program files\common files\intuit\quickbooks\qbupdate\qbupdate.exe
IE: &Search
IE: Save YouTube Video as MP3 - c:\program files\common files\dvdvideosoft\dll\IEContextMenuY.dll/scriptY2MP3.htm
IE: {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/
IE: {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/
IE: {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {EF0D1A14-1033-41A2-A589-240C01EDC078} - hxxp://dl.pplive.com/PluginSetup.cab
DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} - hxxp://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\merryh~1\applic~1\mozilla\firefox\profiles\60l7r9bk.default\
FF - component: c:\documents and settings\merry huang\application data\mozilla\firefox\profiles\60l7r9bk.default\extensions\{81bf1d23-5f17-408d-ac6b-bd6df7caf670}\components\XpcomOpusConnector.dll
FF - component: c:\documents and settings\merry huang\application data\mozilla\firefox\profiles\60l7r9bk.default\extensions\lazarus@interclue.com\platform\winnt_x86-msvc\components\WeaveCrypto.dll
FF - component: c:\program files\common files\dvdvideosoft\dll\ffcontextmenuy\components\FFContextMenu.dll
FF - plugin: c:\documents and settings\merry huang\application data\mozilla\firefox\profiles\60l7r9bk.default\extensions\{e2883e8f-472f-4fb0-9522-ac9bf37916a7}\plugins\np_gp.dll
FF - plugin: c:\documents and settings\merry huang\local settings\application data\google\update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npunagi2.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: dom.disable_open_during_load - false // Popupblocker control handled by McAfee Privacy Service
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-3-23 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-3-23 74480]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-3-23 7408]
S4 0088171258592489mcinstcleanup;McAfee Application Installer Cleanup (0088171258592489);c:\windows\temp\008817~1.exe c:\progra~1\common~1\mcafee\instal~1\cleanup.ini -cleanup -nolog -service --> c:\windows\temp\008817~1.exe c:\progra~1\common~1\mcafee\instal~1\cleanup.ini -cleanup -nolog -service [?]
S4 getPlusHelper;getPlus® Helper;c:\windows\system32\svchost.exe -k getPlusHelper [2004-8-10 14336]

=============== Created Last 30 ================

2009-11-27 22:05 260,608 a------- c:\windows\PEV.exe
2009-11-27 22:05 161,792 a------- c:\windows\SWREG.exe
2009-11-27 22:05 98,816 a------- c:\windows\sed.exe
2009-11-01 11:13 73,728 a------- c:\windows\system32\javacpl.cpl
2009-11-01 11:07 38,797,312 a------- c:\documents and settings\merry huang\java_ee_sdk-5_07-jdk-6u16-windows.exe

==================== Find3M ====================

2009-11-01 11:12 411,368 a------- c:\windows\system32\deploytk.dll
2009-10-25 06:11 77,312 a------- c:\windows\MBR.exe
2009-10-22 03:19 5,939,712 a------- c:\windows\system32\dllcache\mshtml.dll
2009-09-11 08:18 136,192 a------- c:\windows\system32\msv1_0.dll
2009-09-11 08:18 136,192 -------- c:\windows\system32\dllcache\msv1_0.dll
2009-09-04 15:03 58,880 a------- c:\windows\system32\msasn1.dll
2009-09-04 15:03 58,880 -------- c:\windows\system32\dllcache\msasn1.dll
2007-02-16 10:50 1,517,568 a------- c:\documents and settings\merry huang\Shellstyle.dll
2008-08-29 20:33 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008082920080830\index.dat

============= FINISH: 23:05:35.45 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 km2357

km2357

  • Malware Response Team
  • 1,784 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:03:16 AM

Posted 02 December 2009 - 02:21 PM

Hello and welcome to Bleeping Computer.

My name is km2357 and I will be helping you to remove any infection(s) that you may have.

I will be giving you a series of instructions that need to be followed in the order in which I give them to you.

If for any reason you do not understand an instruction or are just unsure then please do not guess, simply post back with your questions/concerns and we will go through it again.

Please do not start another thread or topic, I will assist you at this thread until we solve your problems.

Lastly the fix may take several attempts and my replies may take some time but I will stick with it if you do the same.

Sorry for the delay in replying, the forum is very busy. If you still need help, please post a fresh DDS Log

MalWare Removal University Master

Member of ASAP
unite_Invision.png


#3 tuhtles

tuhtles
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:06:16 AM

Posted 03 December 2009 - 04:10 PM

No, it's fine. I'm patient. Thank you for assisting me! I really appreciate it! :D

Here's my new DDS log:




DDS (Ver_09-10-13.01) - NTFSx86
Run by Merry Huang at 15:04:37.00 on Thu 12/03/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_16
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.173 [GMT -6:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Brother\ControlCenter2\brctrcen.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\HandWriter\HandWriting.exe
C:\Documents and Settings\Merry Huang\Local Settings\Application Data\Google\Update\1.2.183.13\GoogleCrashHandler.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Merry Huang\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\PROGRA~1\McAfee\MSM\McSmtFwk.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\PROGRA~1\COMMON~1\McAfee\MSC\McUICnt.exe
C:\Documents and Settings\Merry Huang\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Merry Huang\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Merry Huang\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Merry Huang\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mWindow Title = Microsoft Internet Explorer provided by Comcast
uInternet Connection Wizard,ShellNext = hxxp://www.dell4me.com/mywaybiz
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: &Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [Google Update] "c:\documents and settings\merry huang\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"
mRun: [mmtask] c:\program files\musicmatch\musicmatch jukebox\mmtask.exe
mRun: [RealTray] c:\program files\real\realplayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [tgcmd] c:\program files\support.com\bin\tgcmd.exe /server /startmonitor /deaf
mRun: [SSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot
mRun: [PaperPort PTD] c:\program files\scansoft\paperport\pptd40nt.exe
mRun: [IndexSearch] c:\program files\scansoft\paperport\IndexSearch.exe
mRun: [ControlCenter2.0] c:\program files\brother\controlcenter2\brctrcen.exe /autorun
mRun: [masqform.exe] c:\program files\pureedge\viewer 6.0\masqform.exe -UpdateCurrentUser
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [WinPatrol] c:\program files\billp studios\winpatrol\winpatrol.exe -expressboot
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\isuspm.exe -startup
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\handwr~1.lnk - c:\program files\handwriter\HandWriting.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quickb~1.lnk - c:\program files\common files\intuit\quickbooks\qbupdate\qbupdate.exe
IE: &Search
IE: Save YouTube Video as MP3 - c:\program files\common files\dvdvideosoft\dll\IEContextMenuY.dll/scriptY2MP3.htm
IE: {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/
IE: {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/
IE: {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {EF0D1A14-1033-41A2-A589-240C01EDC078} - hxxp://dl.pplive.com/PluginSetup.cab
DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} - hxxp://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\merryh~1\applic~1\mozilla\firefox\profiles\60l7r9bk.default\
FF - component: c:\documents and settings\merry huang\application data\mozilla\firefox\profiles\60l7r9bk.default\extensions\{81bf1d23-5f17-408d-ac6b-bd6df7caf670}\components\XpcomOpusConnector.dll
FF - component: c:\documents and settings\merry huang\application data\mozilla\firefox\profiles\60l7r9bk.default\extensions\lazarus@interclue.com\platform\winnt_x86-msvc\components\WeaveCrypto.dll
FF - component: c:\program files\common files\dvdvideosoft\dll\ffcontextmenuy\components\FFContextMenu.dll
FF - plugin: c:\documents and settings\merry huang\application data\mozilla\firefox\profiles\60l7r9bk.default\extensions\{e2883e8f-472f-4fb0-9522-ac9bf37916a7}\plugins\np_gp.dll
FF - plugin: c:\documents and settings\merry huang\local settings\application data\google\update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npunagi2.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: dom.disable_open_during_load - false // Popupblocker control handled by McAfee Privacy Service
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-3-23 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-3-23 74480]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-3-23 7408]
S4 0088171258592489mcinstcleanup;McAfee Application Installer Cleanup (0088171258592489);c:\windows\temp\008817~1.exe c:\progra~1\common~1\mcafee\instal~1\cleanup.ini -cleanup -nolog -service --> c:\windows\temp\008817~1.exe c:\progra~1\common~1\mcafee\instal~1\cleanup.ini -cleanup -nolog -service [?]
S4 getPlusHelper;getPlus® Helper;c:\windows\system32\svchost.exe -k getPlusHelper [2004-8-10 14336]

=============== Created Last 30 ================

2009-11-27 22:05 260,608 a------- c:\windows\PEV.exe
2009-11-27 22:05 161,792 a------- c:\windows\SWREG.exe
2009-11-27 22:05 98,816 a------- c:\windows\sed.exe

==================== Find3M ====================

2009-11-01 11:12 411,368 a------- c:\windows\system32\deploytk.dll
2009-11-01 11:10 38,797,312 a------- c:\documents and settings\merry huang\java_ee_sdk-5_07-jdk-6u16-windows.exe
2009-10-25 06:11 77,312 a------- c:\windows\MBR.exe
2009-10-22 03:19 5,939,712 a------- c:\windows\system32\dllcache\mshtml.dll
2009-09-11 08:18 136,192 a------- c:\windows\system32\msv1_0.dll
2009-09-11 08:18 136,192 -------- c:\windows\system32\dllcache\msv1_0.dll
2007-02-16 10:50 1,517,568 a------- c:\documents and settings\merry huang\Shellstyle.dll
2008-08-29 20:33 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008082920080830\index.dat

============= FINISH: 15:07:44.23 ===============

#4 km2357

km2357

  • Malware Response Team
  • 1,784 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:03:16 AM

Posted 04 December 2009 - 12:42 AM

Your version of DDS is out of date. Delete DDS.scr, then download the latest version of DDS from of the links below:

here or here.

After that, I'd like you to run DDS again and post a new DDS and Attach.txt log. I'd like also for you to run RootRepeal and post a fresh RootRepeal Log as well.

Use multiple posts if you can't fit everything into one post.

Edited by km2357, 04 December 2009 - 12:42 AM.

MalWare Removal University Master

Member of ASAP
unite_Invision.png


#5 tuhtles

tuhtles
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:06:16 AM

Posted 04 December 2009 - 04:28 PM

Here's my DDS log:


DDS (Ver_09-12-01.01) - NTFSx86
Run by Merry Huang at 14:56:37.59 on Fri 12/04/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_16
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.250 [GMT -6:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Brother\ControlCenter2\brctrcen.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\HandWriter\HandWriting.exe
C:\Documents and Settings\Merry Huang\Local Settings\Application Data\Google\Update\1.2.183.13\GoogleCrashHandler.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Documents and Settings\Merry Huang\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Merry Huang\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\WINDOWS\system32\taskmgr.exe
C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe
C:\PROGRA~1\McAfee\MSM\McSmtFwk.exe
C:\Documents and Settings\Merry Huang\My Documents\Downloads\dds.scr
c:\PROGRA~1\mcafee\msc\mcshell.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mWindow Title = Microsoft Internet Explorer provided by Comcast
uInternet Connection Wizard,ShellNext = hxxp://www.dell4me.com/mywaybiz
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: &Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [Google Update] "c:\documents and settings\merry huang\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"
mRun: [mmtask] c:\program files\musicmatch\musicmatch jukebox\mmtask.exe
mRun: [RealTray] c:\program files\real\realplayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [tgcmd] c:\program files\support.com\bin\tgcmd.exe /server /startmonitor /deaf
mRun: [SSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot
mRun: [PaperPort PTD] c:\program files\scansoft\paperport\pptd40nt.exe
mRun: [IndexSearch] c:\program files\scansoft\paperport\IndexSearch.exe
mRun: [ControlCenter2.0] c:\program files\brother\controlcenter2\brctrcen.exe /autorun
mRun: [masqform.exe] c:\program files\pureedge\viewer 6.0\masqform.exe -UpdateCurrentUser
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [WinPatrol] c:\program files\billp studios\winpatrol\winpatrol.exe -expressboot
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\isuspm.exe -startup
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\handwr~1.lnk - c:\program files\handwriter\HandWriting.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quickb~1.lnk - c:\program files\common files\intuit\quickbooks\qbupdate\qbupdate.exe
IE: &Search
IE: Save YouTube Video as MP3 - c:\program files\common files\dvdvideosoft\dll\IEContextMenuY.dll/scriptY2MP3.htm
IE: {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/
IE: {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/
IE: {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {EF0D1A14-1033-41A2-A589-240C01EDC078} - hxxp://dl.pplive.com/PluginSetup.cab
DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} - hxxp://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\merryh~1\applic~1\mozilla\firefox\profiles\60l7r9bk.default\
FF - component: c:\documents and settings\merry huang\application data\mozilla\firefox\profiles\60l7r9bk.default\extensions\{81bf1d23-5f17-408d-ac6b-bd6df7caf670}\components\XpcomOpusConnector.dll
FF - component: c:\documents and settings\merry huang\application data\mozilla\firefox\profiles\60l7r9bk.default\extensions\lazarus@interclue.com\platform\winnt_x86-msvc\components\WeaveCrypto.dll
FF - component: c:\program files\common files\dvdvideosoft\dll\ffcontextmenuy\components\FFContextMenu.dll
FF - plugin: c:\documents and settings\merry huang\application data\mozilla\firefox\profiles\60l7r9bk.default\extensions\{e2883e8f-472f-4fb0-9522-ac9bf37916a7}\plugins\np_gp.dll
FF - plugin: c:\documents and settings\merry huang\local settings\application data\google\update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npunagi2.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: dom.disable_open_during_load - false // Popupblocker control handled by McAfee Privacy Service
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2007-12-28 214664]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-3-23 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-3-23 74480]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2007-12-28 359952]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2007-12-28 144704]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2007-12-28 79816]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2007-12-28 35272]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-3-23 7408]
S3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2007-12-28 606736]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2007-12-28 34248]
S3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2007-12-28 40552]
S4 0088171258592489mcinstcleanup;McAfee Application Installer Cleanup (0088171258592489);c:\windows\temp\008817~1.exe c:\progra~1\common~1\mcafee\instal~1\cleanup.ini -cleanup -nolog -service --> c:\windows\temp\008817~1.exe c:\progra~1\common~1\mcafee\instal~1\cleanup.ini -cleanup -nolog -service [?]

=============== Created Last 30 ================

2009-11-28 04:05:05 98816 ----a-w- c:\windows\sed.exe
2009-11-28 04:05:05 260608 ----a-w- c:\windows\PEV.exe
2009-11-28 04:05:05 161792 ----a-w- c:\windows\SWREG.exe
2009-11-12 20:52:20 49736 ----a-w- c:\documents and settings\merry huang\.recently-used.xbel

==================== Find3M ====================

2009-11-01 17:12:55 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-11-01 17:10:00 38797312 ----a-w- c:\documents and settings\merry huang\java_ee_sdk-5_07-jdk-6u16-windows.exe
2009-10-25 12:11:34 77312 ----a-w- c:\windows\MBR.exe
2009-10-22 09:19:04 5939712 ----a-w- c:\windows\system32\dllcache\mshtml.dll
2009-09-11 14:18:39 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-11 14:18:39 136192 ------w- c:\windows\system32\dllcache\msv1_0.dll
2008-08-30 02:33:12 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008082920080830\index.dat

============= FINISH: 15:02:49.06 ===============



Rootrepeal:

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/12/04 15:04
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xEEBAE000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\verC2.tmp
Status: Visible to the Windows API, but not on disk.

Path: c:\documents and settings\merry huang\local settings\temp\etilqs_dsogthaw7v6xfwju1ey1
Status: Allocation size mismatch (API: 32768, Raw: 16384)

Path: C:\Documents and Settings\Merry Huang\Local Settings\Application Data\Google\Chrome\User Data\Default\Cached Theme Images\data_0
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Merry Huang\Local Settings\Application Data\Google\Chrome\User Data\Default\Cached Theme Images\data_1
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Merry Huang\Local Settings\Application Data\Google\Chrome\User Data\Default\Cached Theme Images\data_2
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Merry Huang\Local Settings\Application Data\Google\Chrome\User Data\Default\Cached Theme Images\data_3
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Merry Huang\Local Settings\Application Data\Google\Chrome\User Data\Default\Cached Theme Images\data_4
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Merry Huang\Local Settings\Application Data\Google\Chrome\User Data\Default\Cached Theme Images\data_5
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Merry Huang\Local Settings\Application Data\Google\Chrome\User Data\Default\Cached Theme Images\f_000001
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Merry Huang\Local Settings\Application Data\Google\Chrome\User Data\Default\Cached Theme Images\f_000002
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Merry Huang\Local Settings\Application Data\Google\Chrome\User Data\Default\Cached Theme Images\f_000003
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Merry Huang\Local Settings\Application Data\Google\Chrome\User Data\Default\Cached Theme Images\f_000004
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Merry Huang\Local Settings\Application Data\Google\Chrome\User Data\Default\Cached Theme Images\f_000005
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Merry Huang\Local Settings\Application Data\Google\Chrome\User Data\Default\Cached Theme Images\f_000006
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Merry Huang\Local Settings\Application Data\Google\Chrome\User Data\Default\Cached Theme Images\f_000007
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Merry Huang\Local Settings\Application Data\Google\Chrome\User Data\Default\Cached Theme Images\f_000009
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Merry Huang\Local Settings\Application Data\Google\Chrome\User Data\Default\Cached Theme Images\f_00000a
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Merry Huang\Local Settings\Application Data\Google\Chrome\User Data\Default\Cached Theme Images\f_00000b
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Merry Huang\Local Settings\Application Data\Google\Chrome\User Data\Default\Cached Theme Images\f_00000c
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Merry Huang\Local Settings\Application Data\Google\Chrome\User Data\Default\Cached Theme Images\f_00000e
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Merry Huang\Local Settings\Application Data\Google\Chrome\User Data\Default\Cached Theme Images\f_000012
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Merry Huang\Local Settings\Application Data\Google\Chrome\User Data\Default\Cached Theme Images\f_000013
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Merry Huang\Local Settings\Application Data\Google\Chrome\User Data\Default\Cached Theme Images\f_000014
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Merry Huang\Local Settings\Application Data\Google\Chrome\User Data\Default\Cached Theme Images\f_000015
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Merry Huang\Local Settings\Application Data\Google\Chrome\User Data\Default\Cached Theme Images\f_000016
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Merry Huang\Local Settings\Application Data\Google\Chrome\User Data\Default\Cached Theme Images\f_000018
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Merry Huang\Local Settings\Application Data\Google\Chrome\User Data\Default\Cached Theme Images\f_000019
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Merry Huang\Local Settings\Application Data\Google\Chrome\User Data\Default\Cached Theme Images\f_00001a
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Merry Huang\Local Settings\Application Data\Google\Chrome\User Data\Default\Cached Theme Images\f_00001b
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Merry Huang\Local Settings\Application Data\Google\Chrome\User Data\Default\Cached Theme Images\f_00001c
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Merry Huang\Local Settings\Application Data\Google\Chrome\User Data\Default\Cached Theme Images\f_00001e
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Merry Huang\Local Settings\Application Data\Google\Chrome\User Data\Default\Cached Theme Images\f_000020
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Merry Huang\Local Settings\Application Data\Google\Chrome\User Data\Default\Cached Theme Images\f_000021
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Merry Huang\Local Settings\Application Data\Google\Chrome\User Data\Default\Cached Theme Images\f_000022
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Merry Huang\Local Settings\Application Data\Google\Chrome\User Data\Default\Cached Theme Images\f_000023
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Merry Huang\Local Settings\Application Data\Google\Chrome\User Data\Default\Cached Theme Images\f_000024
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Merry Huang\Local Settings\Application Data\Google\Chrome\User Data\Default\Cached Theme Images\f_000027
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Merry Huang\Local Settings\Application Data\Google\Chrome\User Data\Default\Cached Theme Images\f_000028
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Merry Huang\Local Settings\Application Data\Google\Chrome\User Data\Default\Cached Theme Images\f_000029
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Merry Huang\Local Settings\Application Data\Google\Chrome\User Data\Default\Cached Theme Images\f_00002a
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Merry Huang\Local Settings\Application Data\Google\Chrome\User Data\Default\Cached Theme Images\f_00002b
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Merry Huang\Local Settings\Application Data\Google\Chrome\User Data\Default\Cached Theme Images\f_00002c
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Merry Huang\Local Settings\Application Data\Google\Chrome\User Data\Default\Cached Theme Images\f_00002d
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Merry Huang\Local Settings\Application Data\Google\Chrome\User Data\Default\Cached Theme Images\f_00002e
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Merry Huang\Local Settings\Application Data\Google\Chrome\User Data\Default\Cached Theme Images\f_00002f
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Merry Huang\Local Settings\Application Data\Google\Chrome\User Data\Default\Cached Theme Images\f_000030
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Merry Huang\Local Settings\Application Data\Google\Chrome\User Data\Default\Cached Theme Images\f_000031
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Merry Huang\Local Settings\Application Data\Google\Chrome\User Data\Default\Cached Theme Images\f_000032
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Merry Huang\Local Settings\Application Data\Google\Chrome\User Data\Default\Cached Theme Images\f_000033
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Merry Huang\Local Settings\Application Data\Google\Chrome\User Data\Default\Cached Theme Images\f_000034
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Merry Huang\Local Settings\Application Data\Google\Chrome\User Data\Default\Cached Theme Images\f_000035
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Merry Huang\Local Settings\Application Data\Google\Chrome\User Data\Default\Cached Theme Images\f_000038
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Merry Huang\Local Settings\Application Data\Google\Chrome\User Data\Default\Cached Theme Images\f_000039
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Merry Huang\Local Settings\Application Data\Google\Chrome\User Data\Default\Cached Theme Images\f_00003a
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Merry Huang\Local Settings\Application Data\Google\Chrome\User Data\Default\Cached Theme Images\f_00003d
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Merry Huang\Local Settings\Application Data\Google\Chrome\User Data\Default\Cached Theme Images\f_00003e
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Merry Huang\Local Settings\Application Data\Google\Chrome\User Data\Default\Cached Theme Images\f_00003f
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Merry Huang\Local Settings\Application Data\Google\Chrome\User Data\Default\Cached Theme Images\f_000040
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Merry Huang\Local Settings\Application Data\Google\Chrome\User Data\Default\Cached Theme Images\f_000042
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Merry Huang\Local Settings\Application Data\Google\Chrome\User Data\Default\Cached Theme Images\f_000043
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Merry Huang\Local Settings\Application Data\Google\Chrome\User Data\Default\Cached Theme Images\f_000045
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Merry Huang\Local Settings\Application Data\Google\Chrome\User Data\Default\Cached Theme Images\f_000046
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Merry Huang\Local Settings\Application Data\Google\Chrome\User Data\Default\Cached Theme Images\f_000047
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Merry Huang\Local Settings\Application Data\Google\Chrome\User Data\Default\Cached Theme Images\f_000048
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Merry Huang\Local Settings\Application Data\Google\Chrome\User Data\Default\Cached Theme Images\f_000049
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Merry Huang\Local Settings\Application Data\Google\Chrome\User Data\Default\Cached Theme Images\f_00004a
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Merry Huang\Local Settings\Application Data\Google\Chrome\User Data\Default\Cached Theme Images\f_00004b
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Merry Huang\Local Settings\Application Data\Google\Chrome\User Data\Default\Cached Theme Images\f_00004c
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Merry Huang\Local Settings\Application Data\Google\Chrome\User Data\Default\Cached Theme Images\f_00004d
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Merry Huang\Local Settings\Application Data\Google\Chrome\User Data\Default\Cached Theme Images\f_00004e
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Merry Huang\Local Settings\Application Data\Google\Chrome\User Data\Default\Cached Theme Images\f_000051
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Merry Huang\Local Settings\Application Data\Google\Chrome\User Data\Default\Cached Theme Images\f_000052
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Merry Huang\Local Settings\Application Data\Google\Chrome\User Data\Default\Cached Theme Images\f_000053
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Merry Huang\Local Settings\Application Data\Google\Chrome\User Data\Default\Cached Theme Images\f_000054
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Merry Huang\Local Settings\Application Data\Google\Chrome\User Data\Default\Cached Theme Images\f_000055
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Merry Huang\Local Settings\Application Data\Google\Chrome\User Data\Default\Cached Theme Images\f_000056
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Merry Huang\Local Settings\Application Data\Google\Chrome\User Data\Default\Cached Theme Images\f_000057
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Merry Huang\Local Settings\Application Data\Google\Chrome\User Data\Default\Cached Theme Images\f_000058
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Merry Huang\Local Settings\Application Data\Google\Chrome\User Data\Default\Cached Theme Images\f_000059
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Merry Huang\Local Settings\Application Data\Google\Chrome\User Data\Default\Cached Theme Images\f_00005a
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Merry Huang\Local Settings\Application Data\Google\Chrome\User Data\Default\Cached Theme Images\f_00005b
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Merry Huang\Local Settings\Application Data\Google\Chrome\User Data\Default\Cached Theme Images\f_00005c
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Merry Huang\Local Settings\Application Data\Google\Chrome\User Data\Default\Cached Theme Images\f_00005d
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Merry Huang\Local Settings\Application Data\Google\Chrome\User Data\Default\Cached Theme Images\f_00005e
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Merry Huang\Local Settings\Application Data\Google\Chrome\User Data\Default\Cached Theme Images\f_00005f
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Merry Huang\Local Settings\Application Data\Google\Chrome\User Data\Default\Cached Theme Images\f_000061
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Merry Huang\Local Settings\Application Data\Google\Chrome\User Data\Default\Cached Theme Images\f_000010
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Merry Huang\Local Settings\Application Data\Google\Chrome\User Data\Default\Cached Theme Images\f_000025
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Merry Huang\Local Settings\Application Data\Google\Chrome\User Data\Default\Cached Theme Images\f_00003c
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Merry Huang\Local Settings\Application Data\Google\Chrome\User Data\Default\Cached Theme Images\f_00004f
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Merry Huang\Local Settings\Application Data\Google\Chrome\User Data\Default\Cached Theme Images\f_000062
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Merry Huang\Local Settings\Application Data\Google\Chrome\User Data\Default\Cached Theme Images\f_000078
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Merry Huang\Local Settings\Application Data\Google\Chrome\User Data\Default\Cached Theme Images\f_00008d
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Merry Huang\Local Settings\Application Data\Google\Chrome\User Data\Default\Cached Theme Images\f_0000a1
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Merry Huang\Local Settings\Application Data\Google\Chrome\User Data\Default\Cached Theme Images\f_0000b5
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Merry Huang\Local Settings\Application Data\Google\Chrome\User Data\Default\Cached Theme Images\f_0000ca
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Merry Huang\Local Settings\Application Data\Google\Chrome\User Data\Default\Cached Theme Images\f_0000de
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Merry Huang\Local Settings\Application Data\Google\Chrome\User Data\Default\Cached Theme Images\f_0000f3
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Merry Huang\Local Settings\Application Data\Google\Chrome\User Data\Default\Cached Theme Images\f_000107
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Merry Huang\Local Settings\Application Data\Google\Chrome\User Data\Default\Cached Theme Images\f_00011c
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Merry Huang\Local Settings\Application Data\Google\Chrome\User Data\Default\Cached Theme Images\f_000131
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Merry Huang\Local Settings\Application Data\Google\Chrome\User Data\Default\Cached Theme Images\f_000143
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Merry Huang\Local Settings\Application Data\Google\Chrome\User Data\Default\Cached Theme Images\f_000159
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Merry Huang\Local Settings\Application Data\Google\Chrome\User Data\Default\Cached Theme Images\f_000066
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Merry Huang\Local Settings\Application Data\Google\Chrome\User Data\Default\Cached Theme Images\f_00006b
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Merry Huang\Local Settings\Application Data\Google\Chrome\User Data\Default\Cached Theme Images\f_00006c
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Merry Huang\Local Settings\Application Data\Google\Chrome\User Data\Default\Cached Theme Images\f_00006d
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Merry Huang\Local Settings\Application Data\Google\Chrome\User Data\Default\Cached Theme Images\f_00006e
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Merry Huang\Local Settings\Application Data\Google\Chrome\User Data\Default\Cached Theme Images\f_00006f
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Merry Huang\Local Settings\Application Data\Google\Chrome\User Data\Default\Cached Theme Images\f_000070
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Merry Huang\Local Settings\Application Data\Google\Chrome\User Data\Default\Cached Theme Images\f_000071
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Merry Huang\Local Settings\Application Data\Google\Chrome\User Data\Default\Cached Theme Images\f_000072
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Merry Huang\Local Settings\Application Data\Google\Chrome\User Data\Default\Cached Theme Images\f_000073
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Merry Huang\Local Settings\Application Data\Google\Chrome\User Data\Default\Cached Theme Images\f_000074
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Merry Huang\Local Settings\Application Data\Google\Chrome\User Data\Default\Cached Theme Images\f_000075
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Merry Huang\Local Settings\Application Data\Google\Chrome\User Data\Default\Cached Theme Images\f_000076
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Merry Huang\Local Settings\Application Data\Google\Chrome\User Data\Default\Cached Theme Images\f_000077
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Merry Huang\Local Settings\Application Data\Google\Chrome\User Data\Default\Cached Theme Images\f_000079
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Merry Huang\Local Settings\Application Data\Google\Chrome\User Data\Default\Cached Theme Images\f_00007a
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Merry Huang\Local Settings\Application Data\Google\Chrome\User Data\Default\Cached Theme Images\f_00007c
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Merry Huang\Local Settings\Application Data\Google\Chrome\User Data\Default\Cached Theme Images\f_00007d
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Merry Huang\Local Settings\Application Data\Google\Chrome\User Data\Default\Cached Theme Images\f_00007e
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Merry Huang\Local Settings\Application Data\Google\Chrome\User Data\Default\Cached Theme Images\f_00007f
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Merry Huang\Local Settings\Application Data\Google\Chrome\User Data\Default\Cached Theme Images\f_000080
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Merry Huang\Local Settings\Application Data\Google\Chrome\User Data\Default\Cached Theme Images\f_000081
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Merry Huang\Local Settings\Application Data\Google\Chrome\User Data\Default\Cached Theme Images\f_000082
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Merry Huang\Local Settings\Application Data\Google\Chrome\User Data\Default\Cached Theme Images\f_000083
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Merry Huang\Local Settings\Application Data\Google\Chrome\User Data\Default\Cached Theme Images\f_000084
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Merry Huang\Local Settings\Application Data\Google\Chrome\User Data\Default\Cached Theme Images\f_000085
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Merry Huang\Local Settings\Application Data\Google\Chrome\User Data\Default\Cached Theme Images\f_000086
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Merry Huang\Local Settings\Application Data\Google\Chrome\User Data\Default\Cached Theme Images\f_000087
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Merry Huang\Local Settings\Application Data\Google\Chrome\User Data\Default\Cached Theme Images\f_000088
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Merry Huang\Local Settings\Application Data\Google\Chrome\User Data\Default\Cached Theme Images\f_000089
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Merry Huang\Local Settings\Application Data\Google\Chrome\User Data\Default\Cached Theme Images\f_00008a
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Merry Huang\Local Settings\Application Data\Google\Chrome\User Data\Default\Cached Theme Images\f_00008b
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Merry Huang\Local Settings\Application Data\Google\Chrome\User Data\Default\Cached Theme Images\f_00008c
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Merry Huang\Local Settings\Application Data\Google\Chrome\User Data\Default\Cached Theme Images\f_00008e
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Merry Huang\Local Settings\Application Data\Google\Chrome\User Data\Default\Cached Theme Images\f_00008f
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Merry Huang\Local Settings\Application Data\Google\Chrome\User Data\Default\Cached Theme Images\f_000090
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Merry Huang\Local Settings\Application Data\Google\Chrome\User Data\Default\Cached Theme Images\f_000091
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Merry Huang\Local Settings\Application Data\Google\Chrome\User Data\Default\Cached Theme Images\f_000092
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Merry Huang\Local Settings\Application Data\Google\Chrome\User Data\Default\Cached Theme Images\f_000095
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Merry Huang\Local Settings\Application Data\Google\Chrome\User Data\Default\Cached Theme Images\f_000096
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Merry Huang\Local Settings\Application Data\Google\Chrome\User Data\Default\Cached Theme Images\f_000097
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Merry Huang\Local Settings\Application Data\Google\Chrome\User Data\Default\Cached Theme Images\f_000098
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Merry Huang\Local Settings\Application Data\Google\Chrome\User Data\Default\Cached Theme Images\f_000099
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Merry Huang\Local Settings\Application Data\Google\Chrome\User Data\Default\Cached Theme Images\f_00009d
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Merry Huang\Local Settings\Application Data\Google\Chrome\User Data\Default\Cached Theme Images\f_00009e
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Merry Huang\Local Settings\Application Data\Google\Chrome\User Data\Default\Cached Theme Images\f_00009f
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Merry Huang\Local Settings\Application Data\Google\Chrome\User Data\Default\Cached Theme Images\f_0000a0
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Merry Huang\Local Settings\Application Data\Google\Chrome\User Data\Default\Cached Theme Images\f_0000a2
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Merry Huang\Local Settings\Application Data\Google\Chrome\User Data\Default\Cached Theme Images\f_0000a3
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Merry Huang\Local Settings\Application Data\Google\Chrome\User Data\Default\Cached Theme Images\f_0000a4
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Merry Huang\Local Settings\Application Data\Google\Chrome\User Data\Default\Cached Theme Images\f_0000a5
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Merry Huang\Local Settings\Application Data\Google\Chrome\User Data\Default\Cached Theme Images\f_0000a6
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Merry Huang\Local Settings\Application Data\Google\Chrome\User Data\Default\Cached Theme Images\f_0000a7
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Merry Huang\Local Settings\Application Data\Google\Chrome\User Data\Default\Cached Theme Images\f_0000a8
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Merry Huang\Local Settings\Application Data\Google\Chrome\User Data\Default\Cached Theme Images\f_0000a9
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Merry Huang\Local Settings\Application Data\Google\Chrome\User Data\Default\Cached Theme Images\f_0000ab
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Merry Huang\Local Settings\Application Data\Google\Chrome\User Data\Default\Cached Theme Images\f_0000ad
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Merry Huang\Local Settings\Application Data\Google\Chrome\User Data\Default\Cached Theme Images\f_0000af
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Merry Huang\Local Settings\Application Data\Google\Chrome\User Data\Default\Cached Theme Images\f_0000b0
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Merry Huang\Local Settings\Application Data\Google\Chrome\User Data\Default\Cached Theme Images\f_0000b1
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Merry Huang\Local Settings\Application Data\Google\Chrome\User Data\Default\Cached Theme Images\f_0000b2
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Merry Huang\Local Settings\Application Data\Google\Chrome\User Data\Default\Cached Theme Images\f_0000b3
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Merry Huang\Local Settings\ApplicatSSDT
-------------------
#: 257 Function Name: NtTerminateProcess
Status: Hooked by "C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys" at address 0xec9900b0

==EOF==


also i got an error " could not read our index block"(or something like that) after the root repeal finished scanning.

Attached Files



#6 km2357

km2357

  • Malware Response Team
  • 1,784 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:03:16 AM

Posted 05 December 2009 - 01:21 PM

Step # 1: Download and Run ComboFix

We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

*Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

* IMPORTANT !!! Save ComboFix.exe to your Desktop

When finished, it shall produce a log for you. Please include C:\ComboFix.txt in your next reply.

MalWare Removal University Master

Member of ASAP
unite_Invision.png


#7 tuhtles

tuhtles
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:06:16 AM

Posted 06 December 2009 - 01:31 AM

Here's my log :)


ComboFix 09-12-05.03 - Merry Huang 12/06/2009 0:05.9.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.607 [GMT -6:00]
Running from: c:\documents and settings\Merry Huang\My Documents\Downloads\ComboFix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

Infected copy of c:\windows\system32\DRIVERS\atapi.sys was found and disinfected
Restored copy from - Kitty ate it :(
Infected copy of c:\windows\system32\drivers\iastor.sys was found and disinfected
Restored copy from - Kitty ate it :(
.
((((((((((((((((((((((((( Files Created from 2009-11-06 to 2009-12-06 )))))))))))))))))))))))))))))))
.

2009-11-28 00:55 . 2009-11-28 00:55 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2009-11-28 00:51 . 2009-11-28 03:24 -------- d-----w- c:\documents and settings\Merry Huang\Local Settings\Application Data\trpehj
2009-11-11 03:45 . 2009-11-11 03:45 -------- d-----w- c:\documents and settings\Wu Gui\Application Data\WinPatrol
2009-11-11 02:41 . 2009-11-11 02:41 -------- d-----w- c:\documents and settings\Wu Gui\Local Settings\Application Data\Apple
2009-11-11 02:39 . 2009-11-11 02:40 -------- d-----w- c:\documents and settings\Wu Gui\Application Data\Apple Computer

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-06 04:41 . 2009-10-01 02:50 -------- d-----w- c:\documents and settings\All Users\Application Data\PPLive
2009-12-06 03:53 . 2008-05-19 20:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2009-11-12 20:52 . 2008-08-19 22:25 -------- d-----w- c:\documents and settings\Merry Huang\Application Data\gtk-2.0
2009-11-05 02:09 . 2009-11-05 02:09 152576 ----a-w- c:\documents and settings\Merry Huang\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2009-11-01 20:57 . 2009-11-01 20:57 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-11-01 20:57 . 2009-11-01 20:57 -------- d-----w- c:\program files\NOS
2009-11-01 17:12 . 2008-11-14 21:28 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-11-01 17:10 . 2009-11-01 17:07 38797312 ----a-w- c:\documents and settings\Merry Huang\java_ee_sdk-5_07-jdk-6u16-windows.exe
2009-11-01 17:04 . 2005-09-01 06:22 -------- d-----w- c:\program files\Java
2009-10-31 17:00 . 2008-11-16 04:50 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-10-25 23:41 . 2009-10-25 23:41 -------- d-----w- c:\documents and settings\Wu Gui\Application Data\Malwarebytes
2009-10-25 22:29 . 2008-11-12 21:06 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-24 22:31 . 2009-03-30 01:58 117760 ----a-w- c:\documents and settings\Merry Huang\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-10-24 22:30 . 2009-03-30 01:57 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-10-24 03:57 . 2009-10-24 03:57 99344 ----a-w- c:\documents and settings\Wu Gui\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-23 00:29 . 2009-10-23 00:29 -------- d-----w- c:\documents and settings\Wu Gui\Application Data\PureEdge
2009-10-23 00:08 . 2009-10-23 00:06 -------- d-----w- c:\program files\ERUNT
2009-10-21 03:31 . 2009-10-21 03:31 -------- d-----w- c:\documents and settings\Administrator\Application Data\WinPatrol
2009-10-16 02:38 . 2009-10-16 02:38 -------- d-----w- c:\program files\HandWriter
2009-10-16 02:38 . 2005-09-01 06:22 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-10-10 14:33 . 2009-10-10 14:33 399872 ----a-w- c:\documents and settings\All Users\Application Data\PPLive\test_vod2.dll
2009-10-10 01:14 . 2009-10-10 01:14 432128 ----a-w- c:\documents and settings\All Users\Application Data\PPLive\test_vod3.dll
2009-10-02 01:35 . 2009-10-02 01:35 468480 ----a-w- c:\documents and settings\All Users\Application Data\PPLive\test_vod1.dll
2009-09-30 19:55 . 2009-01-23 01:51 177024 ----a-w- c:\documents and settings\Merry Huang\Application Data\Mozilla\Firefox\Profiles\60l7r9bk.default\FlashGot.exe
2009-09-29 21:00 . 2008-12-16 23:02 4045528 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-09-23 22:37 . 2009-11-01 20:56 34112 ----a-w- c:\documents and settings\Merry Huang\Application Data\Mozilla\Firefox\Profiles\60l7r9bk.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\chrome\content\getPlusPlus_Adobe_reg_bootstrap.exe
2009-09-23 22:37 . 2009-11-01 20:56 32448 ----a-w- c:\documents and settings\Merry Huang\Application Data\Mozilla\Firefox\Profiles\60l7r9bk.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll
2009-09-23 22:37 . 2009-11-01 20:56 22352 ----a-w- c:\documents and settings\Merry Huang\Application Data\Mozilla\Firefox\Profiles\60l7r9bk.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\chrome\content\getPlusPlus_Adobe_reg.exe
2009-09-16 15:22 . 2007-12-28 22:17 79816 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2009-09-16 15:22 . 2007-12-28 22:17 40552 ----a-w- c:\windows\system32\drivers\mfesmfk.sys
2009-09-16 15:22 . 2007-12-28 22:17 35272 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2009-09-16 15:22 . 2007-12-28 22:17 214664 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2009-09-16 15:22 . 2007-12-28 22:17 34248 ----a-w- c:\windows\system32\drivers\mferkdk.sys
2009-09-11 14:18 . 2004-08-10 17:51 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-10 19:54 . 2008-11-12 21:06 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 19:53 . 2008-11-12 21:06 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
.

((((((((((((((((((((((((((((( SnapShot@2009-11-28_04.33.42 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-12-06 06:03 . 2009-12-06 06:03 16384 c:\windows\Temp\Perflib_Perfdata_114.dat
+ 2004-08-04 03:59 . 2008-04-13 18:40 96512 c:\windows\system32\dllcache\atapi.sys
- 2009-10-28 04:06 . 2009-11-28 04:23 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2009-11-28 16:19 . 2009-12-06 03:41 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2005-09-07 03:04 . 2009-12-06 03:41 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2005-09-07 03:04 . 2009-11-28 04:23 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-10-28 04:06 . 2009-12-06 03:41 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2009-10-28 04:06 . 2009-11-28 04:23 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2009-07-02 07:46 . 2009-11-28 03:47 245760 c:\windows\system32\config\systemprofile\IETldCache\index.dat
+ 2009-07-02 07:46 . 2009-12-06 03:33 245760 c:\windows\system32\config\systemprofile\IETldCache\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-13 68856]
"Google Update"="c:\documents and settings\Merry Huang\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-11-05 133104]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-10-24 2000112]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER" [X]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2005-04-25 139264]
"SigmatelSysTrayApp"="stsystra.exe" [2005-03-23 339968]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-03-30 339968]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248]
"mmtask"="c:\program files\Musicmatch\Musicmatch Jukebox\mmtask.exe" [2004-09-14 53248]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"tgcmd"="c:\program files\Support.com\bin\tgcmd.exe" [2007-03-07 1773568]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-10-14 155648]
"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2004-04-14 57393]
"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2004-04-14 40960]
"ControlCenter2.0"="c:\program files\Brother\ControlCenter2\brctrcen.exe" [2005-01-07 864256]
"masqform.exe"="c:\program files\PureEdge\Viewer 6.0\masqform.exe" [2003-12-03 1052672]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-10-29 1218008]
"WinPatrol"="c:\program files\BillP Studios\WinPatrol\winpatrol.exe" [2008-10-09 333120]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-07-13 292128]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe" [2004-07-27 221184]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
HandWriting Software.lnk - c:\program files\HandWriter\HandWriting.exe [2009-10-15 1781760]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2000-1-21 65588]
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2004-11-11 806912]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-10-24 22:30 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\McAfee\\MBK\\McAfeeDataBackup.exe"=
"c:\\Program Files\\PPLive\\PPLive.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\McAfee\\VirusScan\\mcods.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\jusched.exe"=
"c:\\WINDOWS\\system32\\taskmgr.exe"=
"c:\\Program Files\\McAfee\\MPF\\MpfSrv.exe"=
"c:\\Program Files\\iPod\\bin\\iPodService.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"67:UDP"= 67:UDP:DHCP Discovery Service
"5961:TCP"= 5961:TCP:ppLive
"6311:UDP"= 6311:UDP:ppLive

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [3/23/2009 1:07 PM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [3/23/2009 1:07 PM 74480]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [3/23/2009 1:07 PM 7408]
S4 0088171258592489mcinstcleanup;McAfee Application Installer Cleanup (0088171258592489);c:\windows\TEMP\008817~1.EXE c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service --> c:\windows\TEMP\008817~1.EXE c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service [?]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mWindow Title = Microsoft Internet Explorer provided by Comcast
uInternet Connection Wizard,ShellNext = hxxp://www.dell4me.com/mywaybiz
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &Search
IE: Save YouTube Video as MP3 - c:\program files\Common Files\DVDVideoSoft\Dll\IEContextMenuY.dll/scriptY2MP3.htm
DPF: {EF0D1A14-1033-41A2-A589-240C01EDC078} - hxxp://dl.pplive.com/PluginSetup.cab
FF - ProfilePath - c:\documents and settings\Merry Huang\Application Data\Mozilla\Firefox\Profiles\60l7r9bk.default\
FF - component: c:\documents and settings\Merry Huang\Application Data\Mozilla\Firefox\Profiles\60l7r9bk.default\extensions\{81BF1D23-5F17-408D-AC6B-BD6DF7CAF670}\components\XpcomOpusConnector.dll
FF - component: c:\documents and settings\Merry Huang\Application Data\Mozilla\Firefox\Profiles\60l7r9bk.default\extensions\lazarus@interclue.com\platform\WINNT_x86-msvc\components\WeaveCrypto.dll
FF - component: c:\program files\Common Files\DVDVideoSoft\Dll\FFContextMenuY\components\FFContextMenu.dll
FF - plugin: c:\documents and settings\Merry Huang\Application Data\Mozilla\Firefox\Profiles\60l7r9bk.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll
FF - plugin: c:\documents and settings\Merry Huang\Local Settings\Application Data\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: dom.disable_open_during_load - false // Popupblocker control handled by McAfee Privacy Service
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-06 00:22
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,6b,8b,7e,8e,ac,0c,5c,42,93,75,97,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,6b,8b,7e,8e,ac,0c,5c,42,93,75,97,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(652)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
.
Completion time: 2009-12-06 00:28
ComboFix-quarantined-files.txt 2009-12-06 06:27
ComboFix2.txt 2009-11-28 04:46
ComboFix3.txt 2009-10-27 23:59

Pre-Run: 87,322,480,640 bytes free
Post-Run: 87,285,833,728 bytes free

- - End Of File - - 19FF09DEAB35F883B29C4C64B0F01CA9

#8 km2357

km2357

  • Malware Response Team
  • 1,784 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:03:16 AM

Posted 07 December 2009 - 02:25 PM

Step # 1: Run CFScript
  • Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

    KILLALL::
    
    DirLook::
    
    c:\documents and settings\Merry Huang\Local Settings\Application Data\trpehj


  • Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.




    Posted Image


    Note: This CFScript is for use on tuhtles's computer only! Do not use it on your computer.


  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.


In your next post/reply, I need to see the following:

1. The ComboFix Log that appears after Step 1 has been completed.
2. A fresh DDS Log taken after Step 1 has been completed.

MalWare Removal University Master

Member of ASAP
unite_Invision.png


#9 tuhtles

tuhtles
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:06:16 AM

Posted 08 December 2009 - 10:41 PM

Here's my combo fix log :(

ComboFix 09-12-05.03 - Merry Huang 12/08/2009 20:51.10.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.556 [GMT -6:00]
Running from: c:\documents and settings\Merry Huang\My Documents\Downloads\ComboFix.exe
Command switches used :: c:\documents and settings\Merry Huang\Desktop\CFScript.txt
AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.

((((((((((((((((((((((((( Files Created from 2009-11-09 to 2009-12-09 )))))))))))))))))))))))))))))))
.

2009-12-06 06:30 . 2009-12-04 19:22 110592 ----a-w- c:\documents and settings\Merry Huang\Application Data\Mozilla\Firefox\Profiles\60l7r9bk.default\extensions\{81BF1D23-5F17-408D-AC6B-BD6DF7CAF670}\components\XpcomOpusConnector.dll
2009-11-28 00:55 . 2009-11-28 00:55 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2009-11-28 00:51 . 2009-11-28 03:24 -------- d-----w- c:\documents and settings\Merry Huang\Local Settings\Application Data\trpehj
2009-11-11 03:45 . 2009-11-11 03:45 -------- d-----w- c:\documents and settings\Wu Gui\Application Data\WinPatrol
2009-11-11 02:41 . 2009-11-11 02:41 -------- d-----w- c:\documents and settings\Wu Gui\Local Settings\Application Data\Apple
2009-11-11 02:39 . 2009-11-11 02:40 -------- d-----w- c:\documents and settings\Wu Gui\Application Data\Apple Computer

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-09 02:16 . 2009-10-01 02:50 -------- d-----w- c:\documents and settings\All Users\Application Data\PPLive
2009-12-08 20:47 . 2008-05-19 20:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2009-11-12 20:52 . 2008-08-19 22:25 -------- d-----w- c:\documents and settings\Merry Huang\Application Data\gtk-2.0
2009-11-05 02:09 . 2009-11-05 02:09 152576 ----a-w- c:\documents and settings\Merry Huang\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2009-11-01 20:57 . 2009-11-01 20:57 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-11-01 20:57 . 2009-11-01 20:57 -------- d-----w- c:\program files\NOS
2009-11-01 17:12 . 2008-11-14 21:28 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-11-01 17:10 . 2009-11-01 17:07 38797312 ----a-w- c:\documents and settings\Merry Huang\java_ee_sdk-5_07-jdk-6u16-windows.exe
2009-11-01 17:04 . 2005-09-01 06:22 -------- d-----w- c:\program files\Java
2009-10-31 17:00 . 2008-11-16 04:50 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-10-25 23:41 . 2009-10-25 23:41 -------- d-----w- c:\documents and settings\Wu Gui\Application Data\Malwarebytes
2009-10-25 22:29 . 2008-11-12 21:06 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-24 22:31 . 2009-03-30 01:58 117760 ----a-w- c:\documents and settings\Merry Huang\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-10-24 22:30 . 2009-03-30 01:57 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-10-24 03:57 . 2009-10-24 03:57 99344 ----a-w- c:\documents and settings\Wu Gui\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-23 00:29 . 2009-10-23 00:29 -------- d-----w- c:\documents and settings\Wu Gui\Application Data\PureEdge
2009-10-23 00:08 . 2009-10-23 00:06 -------- d-----w- c:\program files\ERUNT
2009-10-21 03:31 . 2009-10-21 03:31 -------- d-----w- c:\documents and settings\Administrator\Application Data\WinPatrol
2009-10-16 02:38 . 2009-10-16 02:38 -------- d-----w- c:\program files\HandWriter
2009-10-16 02:38 . 2005-09-01 06:22 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-10-10 14:33 . 2009-10-10 14:33 399872 ----a-w- c:\documents and settings\All Users\Application Data\PPLive\test_vod2.dll
2009-10-10 01:14 . 2009-10-10 01:14 432128 ----a-w- c:\documents and settings\All Users\Application Data\PPLive\test_vod3.dll
2009-10-02 01:35 . 2009-10-02 01:35 468480 ----a-w- c:\documents and settings\All Users\Application Data\PPLive\test_vod1.dll
2009-09-30 19:55 . 2009-01-23 01:51 177024 ----a-w- c:\documents and settings\Merry Huang\Application Data\Mozilla\Firefox\Profiles\60l7r9bk.default\FlashGot.exe
2009-09-29 21:00 . 2008-12-16 23:02 4045528 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-09-23 22:37 . 2009-11-01 20:56 34112 ----a-w- c:\documents and settings\Merry Huang\Application Data\Mozilla\Firefox\Profiles\60l7r9bk.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\chrome\content\getPlusPlus_Adobe_reg_bootstrap.exe
2009-09-23 22:37 . 2009-11-01 20:56 32448 ----a-w- c:\documents and settings\Merry Huang\Application Data\Mozilla\Firefox\Profiles\60l7r9bk.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll
2009-09-23 22:37 . 2009-11-01 20:56 22352 ----a-w- c:\documents and settings\Merry Huang\Application Data\Mozilla\Firefox\Profiles\60l7r9bk.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\chrome\content\getPlusPlus_Adobe_reg.exe
2009-09-16 15:22 . 2007-12-28 22:17 79816 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2009-09-16 15:22 . 2007-12-28 22:17 40552 ----a-w- c:\windows\system32\drivers\mfesmfk.sys
2009-09-16 15:22 . 2007-12-28 22:17 35272 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2009-09-16 15:22 . 2007-12-28 22:17 214664 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2009-09-16 15:22 . 2007-12-28 22:17 34248 ----a-w- c:\windows\system32\drivers\mferkdk.sys
2009-09-11 14:18 . 2004-08-10 17:51 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-10 19:54 . 2008-11-12 21:06 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 19:53 . 2008-11-12 21:06 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
---- Directory of c:\documents and settings\Merry Huang\Local Settings\Application Data\trpehj ----



((((((((((((((((((((((((((((( SnapShot@2009-11-28_04.33.42 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-12-09 03:10 . 2009-12-09 03:10 16384 c:\windows\Temp\Perflib_Perfdata_138.dat
+ 2004-08-04 03:59 . 2008-04-13 18:40 96512 c:\windows\system32\dllcache\atapi.sys
+ 2005-09-07 03:04 . 2009-12-09 01:02 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2005-09-07 03:04 . 2009-11-28 04:23 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-12-06 15:49 . 2009-12-09 01:02 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2009-10-28 04:06 . 2009-11-28 04:23 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2009-07-02 07:46 . 2009-12-06 03:33 245760 c:\windows\system32\config\systemprofile\IETldCache\index.dat
- 2009-07-02 07:46 . 2009-11-28 03:47 245760 c:\windows\system32\config\systemprofile\IETldCache\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-13 68856]
"Google Update"="c:\documents and settings\Merry Huang\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-11-05 133104]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-10-24 2000112]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER" [X]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2005-04-25 139264]
"SigmatelSysTrayApp"="stsystra.exe" [2005-03-23 339968]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-03-30 339968]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248]
"mmtask"="c:\program files\Musicmatch\Musicmatch Jukebox\mmtask.exe" [2004-09-14 53248]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"tgcmd"="c:\program files\Support.com\bin\tgcmd.exe" [2007-03-07 1773568]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-10-14 155648]
"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2004-04-14 57393]
"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2004-04-14 40960]
"ControlCenter2.0"="c:\program files\Brother\ControlCenter2\brctrcen.exe" [2005-01-07 864256]
"masqform.exe"="c:\program files\PureEdge\Viewer 6.0\masqform.exe" [2003-12-03 1052672]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-10-29 1218008]
"WinPatrol"="c:\program files\BillP Studios\WinPatrol\winpatrol.exe" [2008-10-09 333120]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-07-13 292128]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe" [2004-07-27 221184]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
HandWriting Software.lnk - c:\program files\HandWriter\HandWriting.exe [2009-10-15 1781760]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2000-1-21 65588]
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2004-11-11 806912]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-10-24 22:30 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\McAfee\\MBK\\McAfeeDataBackup.exe"=
"c:\\Program Files\\PPLive\\PPLive.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\McAfee\\VirusScan\\mcods.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\jusched.exe"=
"c:\\WINDOWS\\system32\\taskmgr.exe"=
"c:\\Program Files\\McAfee\\MPF\\MpfSrv.exe"=
"c:\\Program Files\\iPod\\bin\\iPodService.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"67:UDP"= 67:UDP:DHCP Discovery Service
"5961:TCP"= 5961:TCP:ppLive
"6311:UDP"= 6311:UDP:ppLive

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [3/23/2009 1:07 PM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [3/23/2009 1:07 PM 74480]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [3/23/2009 1:07 PM 7408]
S4 0088171258592489mcinstcleanup;McAfee Application Installer Cleanup (0088171258592489);c:\windows\TEMP\008817~1.EXE c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service --> c:\windows\TEMP\008817~1.EXE c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service [?]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mWindow Title = Microsoft Internet Explorer provided by Comcast
uInternet Connection Wizard,ShellNext = hxxp://www.dell4me.com/mywaybiz
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &Search
IE: Save YouTube Video as MP3 - c:\program files\Common Files\DVDVideoSoft\Dll\IEContextMenuY.dll/scriptY2MP3.htm
DPF: {EF0D1A14-1033-41A2-A589-240C01EDC078} - hxxp://dl.pplive.com/PluginSetup.cab
FF - ProfilePath - c:\documents and settings\Merry Huang\Application Data\Mozilla\Firefox\Profiles\60l7r9bk.default\
FF - component: c:\documents and settings\Merry Huang\Application Data\Mozilla\Firefox\Profiles\60l7r9bk.default\extensions\{81BF1D23-5F17-408D-AC6B-BD6DF7CAF670}\components\XpcomOpusConnector.dll
FF - component: c:\documents and settings\Merry Huang\Application Data\Mozilla\Firefox\Profiles\60l7r9bk.default\extensions\lazarus@interclue.com\platform\WINNT_x86-msvc\components\WeaveCrypto.dll
FF - component: c:\program files\Common Files\DVDVideoSoft\Dll\FFContextMenuY\components\FFContextMenu.dll
FF - plugin: c:\documents and settings\Merry Huang\Application Data\Mozilla\Firefox\Profiles\60l7r9bk.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll
FF - plugin: c:\documents and settings\Merry Huang\Local Settings\Application Data\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: dom.disable_open_during_load - false // Popupblocker control handled by McAfee Privacy Service
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-08 21:13
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,6b,8b,7e,8e,ac,0c,5c,42,93,75,97,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,6b,8b,7e,8e,ac,0c,5c,42,93,75,97,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(656)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(2648)
c:\windows\system32\WININET.dll
c:\program files\BillP Studios\WinPatrol\PATROLPRO.DLL
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\WinSCP\DragExt.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Intel\Intel Matrix Storage Manager\iaantmon.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\progra~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\progra~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\progra~1\McAfee\VIRUSS~1\mcshield.exe
c:\progra~1\mcafee.com\agent\mcagent.exe
c:\windows\stsystra.exe
c:\program files\Real\RealPlayer\RealPlay.exe
c:\documents and settings\Merry Huang\Local Settings\Application Data\Google\Update\1.2.183.13\GoogleCrashHandler.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\McAfee\MPF\MPFSrv.exe
.
**************************************************************************
.
Completion time: 2009-12-08 21:36 - machine was rebooted
ComboFix-quarantined-files.txt 2009-12-09 03:35
ComboFix2.txt 2009-12-06 06:28
ComboFix3.txt 2009-11-28 04:46
ComboFix4.txt 2009-10-27 23:59

Pre-Run: 87,225,233,408 bytes free
Post-Run: 87,129,645,056 bytes free

- - End Of File - - 8AB72E48152DC6410CD960C98BA64035


And here's my DDS loG:


DDS (Ver_09-10-13.01) - NTFSx86
Run by Merry Huang at 21:38:59.25 on Tue 12/08/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_16
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.369 [GMT -6:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Brother\ControlCenter2\brctrcen.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\HandWriter\HandWriting.exe
C:\Documents and Settings\Merry Huang\Local Settings\Application Data\Google\Update\1.2.183.13\GoogleCrashHandler.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\Merry Huang\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Merry Huang\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Documents and Settings\Merry Huang\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Merry Huang\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Merry Huang\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Merry Huang\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mWindow Title = Microsoft Internet Explorer provided by Comcast
uInternet Connection Wizard,ShellNext = hxxp://www.dell4me.com/mywaybiz
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: &Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [Google Update] "c:\documents and settings\merry huang\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"
mRun: [mmtask] c:\program files\musicmatch\musicmatch jukebox\mmtask.exe
mRun: [RealTray] c:\program files\real\realplayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [tgcmd] c:\program files\support.com\bin\tgcmd.exe /server /startmonitor /deaf
mRun: [SSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot
mRun: [PaperPort PTD] c:\program files\scansoft\paperport\pptd40nt.exe
mRun: [IndexSearch] c:\program files\scansoft\paperport\IndexSearch.exe
mRun: [ControlCenter2.0] c:\program files\brother\controlcenter2\brctrcen.exe /autorun
mRun: [masqform.exe] c:\program files\pureedge\viewer 6.0\masqform.exe -UpdateCurrentUser
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [WinPatrol] c:\program files\billp studios\winpatrol\winpatrol.exe -expressboot
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\isuspm.exe -startup
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\handwr~1.lnk - c:\program files\handwriter\HandWriting.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quickb~1.lnk - c:\program files\common files\intuit\quickbooks\qbupdate\qbupdate.exe
IE: &Search
IE: Save YouTube Video as MP3 - c:\program files\common files\dvdvideosoft\dll\IEContextMenuY.dll/scriptY2MP3.htm
IE: {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/
IE: {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/
IE: {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {EF0D1A14-1033-41A2-A589-240C01EDC078} - hxxp://dl.pplive.com/PluginSetup.cab
DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} - hxxp://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\merryh~1\applic~1\mozilla\firefox\profiles\60l7r9bk.default\
FF - component: c:\documents and settings\merry huang\application data\mozilla\firefox\profiles\60l7r9bk.default\extensions\{81bf1d23-5f17-408d-ac6b-bd6df7caf670}\components\XpcomOpusConnector.dll
FF - component: c:\documents and settings\merry huang\application data\mozilla\firefox\profiles\60l7r9bk.default\extensions\lazarus@interclue.com\platform\winnt_x86-msvc\components\WeaveCrypto.dll
FF - component: c:\program files\common files\dvdvideosoft\dll\ffcontextmenuy\components\FFContextMenu.dll
FF - plugin: c:\documents and settings\merry huang\application data\mozilla\firefox\profiles\60l7r9bk.default\extensions\{e2883e8f-472f-4fb0-9522-ac9bf37916a7}\plugins\np_gp.dll
FF - plugin: c:\documents and settings\merry huang\local settings\application data\google\update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npunagi2.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: dom.disable_open_during_load - false // Popupblocker control handled by McAfee Privacy Service
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-3-23 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-3-23 74480]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-3-23 7408]
S4 0088171258592489mcinstcleanup;McAfee Application Installer Cleanup (0088171258592489);c:\windows\temp\008817~1.exe c:\progra~1\common~1\mcafee\instal~1\cleanup.ini -cleanup -nolog -service --> c:\windows\temp\008817~1.exe c:\progra~1\common~1\mcafee\instal~1\cleanup.ini -cleanup -nolog -service [?]
S4 getPlusHelper;getPlus® Helper;c:\windows\system32\svchost.exe -k getPlusHelper [2004-8-10 14336]

=============== Created Last 30 ================

2009-11-27 22:05 260,608 a------- c:\windows\PEV.exe
2009-11-27 22:05 161,792 a------- c:\windows\SWREG.exe
2009-11-27 22:05 98,816 a------- c:\windows\sed.exe

==================== Find3M ====================

2009-11-01 11:12 411,368 a------- c:\windows\system32\deploytk.dll
2009-11-01 11:10 38,797,312 a------- c:\documents and settings\merry huang\java_ee_sdk-5_07-jdk-6u16-windows.exe
2009-10-25 06:11 77,312 a------- c:\windows\MBR.exe
2009-10-22 03:19 5,939,712 a------- c:\windows\system32\dllcache\mshtml.dll
2009-09-11 08:18 136,192 a------- c:\windows\system32\msv1_0.dll
2009-09-11 08:18 136,192 -------- c:\windows\system32\dllcache\msv1_0.dll
2007-02-16 10:50 1,517,568 a------- c:\documents and settings\merry huang\Shellstyle.dll
2008-08-29 20:33 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008082920080830\index.dat

============= FINISH: 21:40:36.39 ===============



The google redirects no longer occur!! :D I'm thinking it's fixed? :(

Attached Files


Edited by tuhtles, 08 December 2009 - 10:41 PM.


#10 km2357

km2357

  • Malware Response Team
  • 1,784 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:03:16 AM

Posted 09 December 2009 - 12:20 AM

The google redirects no longer occur!! :D I'm thinking it's fixed?


:( Though it looks like your Google redirects problem is fixed, I would like to run a few more scans on your computer to make sure nothing else is wrong.



Step # 1 Update Java

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.

Please follow these steps to remove older version Java components and update.

Updating Java:
  • Download the latest version of Java Runtime Environment (JRE) 6u17.
  • Click on the link to download Windows Offline Installation and save to your desktop. Do NOT use the Sun Download Manager.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
  • Remove the following old versions of Java:

  • Java™ 6 Update 16

  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • From your desktop double-click on the download to install the newest version.
Step # 2: Download and Run ATF Cleaner
Download ATF (Atribune Temp File) Cleaner© by Atribune to your desktop.

Double-click ATF Cleaner.exe to open it.

Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Temporary Internet Files
Prefetch
Java Cache

*The other boxes are optional*
Then click the Empty Selected button.

Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Click Exit on the Main menu to close the program.


Step # 3 Run Malwarebytes' Anti-Malware
  • Launch Malwarebytes' Anti-Malware.
  • Before running a scan, click the Update tab, next click Check for Updates to download any updates, if available.
  • Next click the Scanner tab and select Perform Quick Scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. Please save it to a convenient location.
  • You can also access the log by doing the following:
  • Click on the Malwarebytes' Anti-Malware icon to launch the program.
  • Click on the Logs tab.
  • Click on the log at the bottom of those listed to highlight it.
  • Click Open.
Post the MalwareBytes' Log in your next post/reply.

Edited by km2357, 09 December 2009 - 12:22 AM.

MalWare Removal University Master

Member of ASAP
unite_Invision.png


#11 tuhtles

tuhtles
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:06:16 AM

Posted 11 December 2009 - 09:42 PM

I scanned and nothing came up. I think the problem is fixed. Thank you so much for your help! :( I really appreciate it.

#12 km2357

km2357

  • Malware Response Team
  • 1,784 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:03:16 AM

Posted 12 December 2009 - 12:56 PM

One final scan to go. :(


Step # 1 Update Adobe Acrobat Reader

There is a newer version of Adobe Acrobat Reader available. (See Note below)
  • First, go to Add/Remove Programs and uninstall Adobe Reader 7.0.9.
  • Please go to this link Adobe Acrobat Reader Download Link
  • On the right Untick Adobe Phototshop Album Starter Edition if you do not wish to include this in the installation.
  • Click the Continue button
  • Click Run, and click Run again
  • Next click the Install Now button and follow the on screen prompts
Note: Adobe 9.2.0 is a large program and if you prefer a smaller program you can get Foxit 3.1.4 instead from http://www.foxitsoftware.com/pdf/rd_intro.php

If you decide to install Foxit 3.1.4 instead of Adobe, do the following during Foxit's Setup/Installation process:

Uncheck the following boxes:

I accept the License Terms and want to install Foxit Toolbar

Make Ask.com my default search

Create desktop, quick launch and start menu icon to eBay



Step # 2: Run Kaspersky Online Scan

Please go to Kaspersky website and perform an online antivirus scan.
  • Read through the requirements and privacy statement and click on Accept button.
  • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  • When the downloads have finished, click on Settings.
  • Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
    • Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
      Mail databases
  • Click on My Computer under Scan.
  • Once the scan is complete, it will display the results. Click on View Scan Report.
  • You will see a list of infected items there. Click on Save Report As....
  • Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
  • Please post this log in your next reply.

In your next post/reply, I need to see the following:

1. Kaspersky Log
2. A fresh DDS Log
3. How is your computer doing, any other problems?

MalWare Removal University Master

Member of ASAP
unite_Invision.png


#13 km2357

km2357

  • Malware Response Team
  • 1,784 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:03:16 AM

Posted 15 December 2009 - 02:16 PM

tuhtles? How are things coming along?

MalWare Removal University Master

Member of ASAP
unite_Invision.png


#14 tuhtles

tuhtles
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:06:16 AM

Posted 15 December 2009 - 09:00 PM

Hi, sorry for the delay. The Kaspersky scan takes awhile..and I haven't had a lot of time on my hands.
I tried to run the kaspersky scan today while using the computer for doing homework. It made my computer lag a lot, so I stopped it at 84%. The brower froze and I couldn't really get the log, but I took a screen shot of it. I wonder if this helps? if not, i can probably attempt to do another scan later this week when time permits.

Otherwise, my computer is doing great! No redirects! :(


Posted Image


DDS:

DDS (Ver_09-10-13.01) - NTFSx86
Run by Merry Huang at 19:39:29.65 on Tue 12/15/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_17
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.382 [GMT -6:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Brother\ControlCenter2\brctrcen.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Documents and Settings\Merry Huang\Local Settings\Application Data\Google\Update\1.2.183.13\GoogleCrashHandler.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\Merry Huang\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\taskmgr.exe
C:\PROGRA~1\IZArc\IZArc.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\Documents and Settings\Merry Huang\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Merry Huang\Desktop\stuff\Sid's Auto Adopter Public.exe
C:\Documents and Settings\Merry Huang\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\WINDOWS\system32\mspaint.exe
C:\Program Files\Java\jre6\bin\java.exe
C:\Documents and Settings\Merry Huang\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mWindow Title = Microsoft Internet Explorer provided by Comcast
uInternet Connection Wizard,ShellNext = hxxp://www.dell4me.com/mywaybiz
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: &Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [Google Update] "c:\documents and settings\merry huang\local settings\application data\google\update\GoogleUpdate.exe" /c
mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"
mRun: [mmtask] c:\program files\musicmatch\musicmatch jukebox\mmtask.exe
mRun: [RealTray] c:\program files\real\realplayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [tgcmd] c:\program files\support.com\bin\tgcmd.exe /server /startmonitor /deaf
mRun: [SSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot
mRun: [PaperPort PTD] c:\program files\scansoft\paperport\pptd40nt.exe
mRun: [IndexSearch] c:\program files\scansoft\paperport\IndexSearch.exe
mRun: [ControlCenter2.0] c:\program files\brother\controlcenter2\brctrcen.exe /autorun
mRun: [masqform.exe] c:\program files\pureedge\viewer 6.0\masqform.exe -UpdateCurrentUser
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [WinPatrol] c:\program files\billp studios\winpatrol\winpatrol.exe -expressboot
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\isuspm.exe -startup
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quickb~1.lnk - c:\program files\common files\intuit\quickbooks\qbupdate\qbupdate.exe
IE: &Search
IE: Save YouTube Video as MP3 - c:\program files\common files\dvdvideosoft\dll\IEContextMenuY.dll/scriptY2MP3.htm
IE: {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/
IE: {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/
IE: {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {EF0D1A14-1033-41A2-A589-240C01EDC078} - hxxp://dl.pplive.com/PluginSetup.cab
DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} - hxxp://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
Notify: !SASWinLogon -
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\merryh~1\applic~1\mozilla\firefox\profiles\60l7r9bk.default\
FF - component: c:\documents and settings\merry huang\application data\mozilla\firefox\profiles\60l7r9bk.default\extensions\{81bf1d23-5f17-408d-ac6b-bd6df7caf670}\components\XpcomOpusConnector.dll
FF - component: c:\documents and settings\merry huang\application data\mozilla\firefox\profiles\60l7r9bk.default\extensions\lazarus@interclue.com\platform\winnt_x86-msvc\components\WeaveCrypto.dll
FF - component: c:\program files\common files\dvdvideosoft\dll\ffcontextmenuy\components\FFContextMenu.dll
FF - plugin: c:\documents and settings\merry huang\application data\mozilla\firefox\profiles\60l7r9bk.default\extensions\{e2883e8f-472f-4fb0-9522-ac9bf37916a7}\plugins\np_gp.dll
FF - plugin: c:\documents and settings\merry huang\local settings\application data\google\update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npunagi2.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: dom.disable_open_during_load - false // Popupblocker control handled by McAfee Privacy Service
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-3-23 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-3-23 74480]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-3-23 7408]
S4 0088171258592489mcinstcleanup;McAfee Application Installer Cleanup (0088171258592489);c:\windows\temp\008817~1.exe c:\progra~1\common~1\mcafee\instal~1\cleanup.ini -cleanup -nolog -service --> c:\windows\temp\008817~1.exe c:\progra~1\common~1\mcafee\instal~1\cleanup.ini -cleanup -nolog -service [?]
S4 getPlusHelper;getPlus® Helper;c:\windows\system32\svchost.exe -k getPlusHelper [2004-8-10 14336]

=============== Created Last 30 ================

2009-11-27 22:05 260,608 a------- c:\windows\PEV.exe
2009-11-27 22:05 161,792 a------- c:\windows\SWREG.exe
2009-11-27 22:05 98,816 a------- c:\windows\sed.exe

==================== Find3M ====================

2009-12-03 16:14 38,224 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-03 16:13 19,160 a------- c:\windows\system32\drivers\mbam.sys
2009-11-01 11:10 38,797,312 a------- c:\documents and settings\merry huang\java_ee_sdk-5_07-jdk-6u16-windows.exe
2009-10-28 08:40 173,056 a------- c:\windows\system32\dllcache\ie4uinit.exe
2009-10-25 06:11 77,312 a------- c:\windows\MBR.exe
2009-10-20 23:38 75,776 a------- c:\windows\system32\strmfilt.dll
2009-10-20 23:38 25,088 a------- c:\windows\system32\httpapi.dll
2009-10-20 23:38 75,776 -------- c:\windows\system32\dllcache\strmfilt.dll
2009-10-20 23:38 25,088 -------- c:\windows\system32\dllcache\httpapi.dll
2009-10-20 10:20 265,728 a------- c:\windows\system32\drivers\http.sys
2009-10-20 10:20 265,728 -------- c:\windows\system32\dllcache\http.sys
2009-10-13 04:30 270,336 a------- c:\windows\system32\oakley.dll
2009-10-13 04:30 270,336 -------- c:\windows\system32\dllcache\oakley.dll
2009-10-12 07:38 149,504 a------- c:\windows\system32\rastls.dll
2009-10-12 07:38 149,504 -------- c:\windows\system32\dllcache\rastls.dll
2009-10-12 07:38 79,872 a------- c:\windows\system32\raschap.dll
2009-10-12 07:38 79,872 -------- c:\windows\system32\dllcache\raschap.dll
2009-10-11 04:17 411,368 a------- c:\windows\system32\deploytk.dll
2007-02-16 10:50 1,517,568 a------- c:\documents and settings\merry huang\Shellstyle.dll
2008-08-29 20:33 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008082920080830\index.dat

============= FINISH: 19:40:52.67 ===============

Attached Files



#15 km2357

km2357

  • Malware Response Team
  • 1,784 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:03:16 AM

Posted 16 December 2009 - 12:02 AM

Your DDS Logs look good. :(

Go ahead and retry Kaspersky again later this week (try running it when you aren't doing anything on the computer, so it won't lag you) and if you have any trouble running it to completion, I have another online scanner you can try in its place.

MalWare Removal University Master

Member of ASAP
unite_Invision.png





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users